Heres some info i found thanks to 4th_gen
Hi
Have been asked to do a tut for setting up a cable server as seems that people don't know how to set one up.
There are three sets of boxes we can use to share our cards between family and friends.
First of these boxes is the pace box (seems virginmedia still installing them) non HD.
The pace box uses the dt08 method which can be got from the card using nagraedit and sending a d2c to it (can be found on most cable or sat forums)
Thanks to the coder for the d2c
Instructions:
1 Stick your N2/N3 card in your card reader
2 Run NagraEdit – DO NOT ATTEMPT TO READ YOUR CARD !!!
3 Select the Comm Tab. This should give you an upper and lower text pane
4 Cut/Paste the scriptt below into the top pane
5 Press the “Send D2C” button/icon
6 Results should appear in bottom pane
7 Interpret your results based on info below.
Script – Read DT06/DT08
Code:
rs
tx 21 C1 01 FE 1F
rx
tx 21 00 08 A0 CA 00 00 02 12 00 06 55
dl 02 00
rx
dl 02 00
tx 21 00 09 A0 CA 00 00 03 22 01 7E 00 1C
dl 02 00
rx
dl 02 00
mg *
mg *** DT06 info ***
tx 21 00 09 A0 CA 00 00 03 22 01 06 13 **
dl 02 00
rx
mg DT06 response1
dl 02 00
tx 21 40 09 A0 CA 00 00 03 22 01 86 13 **
dl 02 00
rx
dl 02 00
mg DT06 response2
mg *** End DT06 info ***
mg *
mg *** DT08 info ***
tx 21 40 09 A0 CA 00 00 03 22 01 08 13 **
dl 02 00
rx
mg DT08 response1
dl 02 00
tx 21 00 09 00 00 03 22 01 C8 A0 CA 55 **
dl 02 00
rx
dl 02 00
mg DT08 response2
tx 21 40 09 A0 CA 00 00 03 22 01 88 55 **
dl 02 00
rx
mg DT08 response3
dl 02 00
mg *** End DT08 info ***
*******
Just to clarify :
The important bits your looking at are the DT06/DT08 responses (the bits that start with Rx: )
ie RX: 12 00 15 A2 11 08 E0 00 00 00 5E 01 20 00 00 00
00 00 00 00 00 00 90 00 B3
RX: 12 40 15 A2 11 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 90 00 64
RX: 12 00 15 A2 11 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 90 00 24
and
RX: 12 40 57 A2 53 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 90 00 64
things we need
128 rsa key this comes in two 64 byte sections one is public and one is in box.
ird again can be found from card (also can get from old n1 card)
camid again can be found from card (serial on bottom of card convert to hex)
boxkey can either be found on old n1 card or from (4010)
program called dt08 <<<<<<<<<<<<<<< more than likely can still be found on some spanish forums or even some members have it here.
this will give you your cam_n needed to run cams
second of these boxes is the samsung 2100,2010 (non HD) virginmedia are still installing these 100% as off 4/11//2014
the easiest of these to do is the sammy 2100
this is done the same way as the old n1 days to get boxkey with
using (holding the updown button for 5 seconds before powering on)
will return the sk from ram which holds our cam_ and boxkey
just the same as old days dumping ram for n1 boxkey
the 2010 can be done using a ram dumper and a modification on the box, was never public for reasons you can guess
The third of these boxes is the cisco,tivo,etc these all require REMOVEL of the NOR chip this holds your 016C block.
and if you want to learn how it works (decrypt your 016C block then also dump the NAND chip this hold the firmware the cak6) i recomend dumping the NAND chip from a box you find or not paying for
the 016C block can be found at FC00H IN DUMP.
then you either learn how to decrypt it or get someone to do it for you
things you need
hotair station (for removel, replacement of chip) £60-£120
chip reader with ebga64 adapter £200- £500
jig <<<<<<<<<<<<<< homemade just to mark where the chip goes back as can't see the balls so easier to have a jig set in place.
reballing kit £80 - £200
codeing skills £priceless
if doing it yourself
carpairn file or lib libary for cak6 you might be able to find it on the net or using ida with the NAND dump yu can trace it.
that will leave us with the,
cam_n
camid (from serial on card) 5 bytes beginning with 20 converted to hex gives us 4 bytes
boxkey which can begotten when you decrypt your 016C dump
from dump
30 08: y1,y1,y1,y1,y1,y1,y1,y1
xor with
D0 08: y2,y2,y2,y2,y2,y2,y2,y2
RESULT= boxkey
II II II II XX XX XX XX XX XX XX XX XX XX Y1 Y1 Y1 Y1 Y1 Y1 Y1 Y1
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# Y2 Y2 Y2 Y2 Y2 Y2 Y2 Y2 CS CS
#
# II = IRD serial number.
# XX = Unimportant.
# Y1, Y2 = SK signature and also used to calculate the box key.
# SK = Actual secondary key data (CAM N, public modulus).
# CS = Checksum.
Next we go onto cams
cams used to read card
oscam
sbox
for me i like sbox so easy to use and was made for nagra cards.
First of we download sbox
now depending on where we going to place are card ie dm box, smartreader,omnikey reader.
there is different setting.
if only using 1 card for family and friends i would just use a box like dm box that i will be also watching tv on.it also handy if you can't get the chip replaced back on box.
install sbox on box,server if on box it goes
/var/bin
sbox
sbox.conf
users.sbox
portlist goes /var/keys
the main thing in sbox.conf you need to change are these.
server_only=1 # 0=mixed mode 1=only server
# if using in a box change it to mixed mode so you can also watch channels on the box
[slot0]
active=1 # 0=inactive 1=active
sci=0 #/dev/sci0 # lower
ncdserver=1 # 0=newcamd server off 1=newcamd server on
deskey=0102030405060708091011121314 # newcamd deskey
port=00000 # newcamd port
mhz=368 # Mhz for card in this reader, DON'T WORK ON PHOENIX INTERFACE. Example: mhz=357, mhz=368
reader=3 # 0=phoenix, 1=sci (internal reader), 2=smartreader, 3=omnikey pcsc reader
cache=0 # how many ecms can be cached, 0 or less=cache disabled
# things to change here are your port and reader depending on what your using
[slot0]
#Nagra2 /3 Example
[xxxxxxxx] # nagra2 camid (4 bytes)
rsa= # rsa "n" from
#this card (like newcs)
gppkeypubbeta= # alternative method
gppkeypub=
boxkey= # boxkey from this card
emm=0 # 0=accept all 1=block emms 2=block emmu 4=block emmg
portlist=0 # use portlist or no
portlistpath=/var/keys/port.list # path from port.list
controlsid=0:0
All you enter here is your camid you get from the serial on card begins with 20 (5 bytes) converted to hex (4 bytes)
the cam_n where it says rsa or if you using the dt08 method and have the 128 byte rsa key you enter that into 64 byte parts where it says gppkeypub= # alternative method
beta is the public 64 bytes and pub is not public 64 bytes
and boxkey you got from the bytes at
30 08: xx xx xx xx xx xx xx xx
xor with
D0 08: XX XX XX XX XX XX XX XX
or if dt08 then just the n1 boxkey
easy enough as most will know how to set it up
same for oscam just enter cam_n and boxkey
next csp
I take it most people that run a server use csp or multics
this is the profile for virginmedia.
<profile name="virginmedia" ca-id="1841" network-id="f020" provider-idents="00 00 00,00 5A 01,00 5B 01,00 5B 03" enabled="true" debug="false">
<newcamd listen-port="00000"/>
<card-data type="config" ca-id="1841">
<providers>00 00 00,00 5A 01,00 5B 01,00 5B 03</providers>
</card-data>
<no-validation>true</no-validation>
<filter-cards>provider</filter-cards>
<services-file format="cccam" ca-id="1841" filter="000000">etc/CCcam.channelinfo</services-file>
<cannot-decode-wait>1</cannot-decode-wait>
# This bit is important at the minute vm can wait 10 seconds between ecms (this could change as it has abroad)
<max-cw-wait>9700ms</max-cw-wait>
<newcamd-connector name="Card2" profile="virginmedia" provider-idents="00 00 00,00 5A 01,00 5B 01,00 5B 03" enabled="true" metric="0">
<host>my.dyndns.org</host>
<port>00000</port>
<user>dummy1</user>
<password>dummy1</password>
<au-users>who you want to send you update emms </au-users>
<asynchronous>true</asynchronous>
<block-services></block-services>
</newcamd-connector>
# This is how a newcamd connector will look in status page in csp when using sbox as reader.
Provider-idents: [00 00 00, 00 5A 01, 00 5B 01, 00 5B 03]
Connected: 2014-11-03 12:12:12
Uptime: 1d 4h 28m 31s
Card-data: UserID [1] CaID [1841] Providers [3] [00 5A 01, 00 5B 01, 00 5B 03] Anonymous [No (Card2)]
Processing time: 422 ms (avg: 388 ms)
Utilization: 16% (total: 14%)
Estimated capacity: 28
Queue size: 0
ECM count: 39116
ECM load: 4 (over the last cw-max-age period)
Timeouts: 5
oscam will give you this in providers:Card-data: UserID [2] CaID [1841] Providers [4] [00 5A 01, 00 5B 01, 00 5B 03, 00 00 00] Anonymous [Yes
now if you have multi cards or using N: lines from someone else who is using different readers ie oscam
the providers will come up different and you will get message in events about csp complaining about merging lest efficient as providers are different.
you want it running smoothly like this.
Name: Cspvm
State: up
Started: 2014-10-28 05:31:58
Uptime: 1w 11h 22m 13s
Connectors: 8
Sessions: 59 (active: 36)
Estimated total capacity: 174 (ECM->CW transactions per CW-validity-period)
Estimated total load: 23 (forwards during the last period)
ECM total: 1668808 (average rate: 3/s)
ECM forwards: 1231540 (73.8%)
ECM cache hits: 431872 (25.9%)
ECM denied: 268 (.0%)
ECM filtered: 2922 (.2%)
ECM failures: 10
EMM total: 0
All i can think of at the minute if anyone wants any thing else ask and if i can i will answer.
Not to hot on explaining things but if helps someone.
thanks
